Tomasz Kacprzynski – CCIE#36159

Main menu

Post navigation

Nexus – iBGP with BFD

I’ve been trying to setup a BFD neighbor for a link connecting two important sites on a Nexus 7010. That link is only using iBGP for routing. This seems like a really easy thing to, unless you run into bad documentation with few key missing facts.

The problem with this feature is that BFD won’t see each other as neighbors. You won’t see any debug messages or keepalives or any other bfd packets. When I was troubleshooting it, I noticed that by specifying a source and destination IP address for BFD neighbors (under the interface) brought up the adj. The problem with that was that BGP didn’t recognize that IP address and during testing, BFD didn’t bring down the BGP neighbor.

Doing more research and with the help of TAC, we found a little bullet point in the Nexus 3000 documentation.

Basically, for the BFD feature to work on Nexus 7000, you have to specify the update-source for the iBGP session. Very simple and easy, but if not documented then it’s a little bit difficult to know. I would never think of going to the Nexus 3000 documentation for a Nexus 7000 configuration. See below for full configuration.

show ip bgp summary | i BFD
BFD live-detection is configured and enabled, state is Up

Now that everything is nicely setup, how do you test it? You can’t just disconnect or shutdown the interface, bgp fast-external-fallover will trigger the BGP session to go down upon interface status change. One way to test is by filtering only BFD and BGP messages. For that I created a new ACL TEST-BDF-BGP that block ports 3784 & 3785 (BFD and BFD-Control) and TCP 179 for BGP. As long as the BGP session will go down before the default BGP hold timer, BFD will trigger it and our test succeeds.

In this particular scenario there is no IGP. Directly connected links are used to establish iBGP session, so you don’t need IGP. You can enable BFD for IGP and iBGP at the same time, which synchronizes the convergence.

The ACL in my post is there to demonstrate how to simulate a failure. It is designated to break BFD by denying BFD packets. If you are deploying BFD, just don’t use the ACL. Hope I’m understanding your question correctly.